<p>Reading Standard Input is security-sensitive. It has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2337">CVE-2005-2337</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11449">CVE-2017-11449</a> </li>
</ul>
<p>It is common for attackers to craft inputs enabling them to exploit software vulnerabilities. Thus any data read from the standard input (stdin)
can be dangerous and should be validated.</p>
<p>This rule flags code that reads from the standard input.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> data read from the standard input is not sanitized before being used. </li>
</ul>
<p>You are at risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p><a href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitize</a> all data read from the standard input before using it.</p>
<h2>Sensitive Code Example</h2>
<pre>
class A {
    void foo(String fmt, Object args) throws Exception {
        // Sensitive. Check how the standard input is used.
        System.in.read();

        // Sensitive. Check how safe this new InputStream is.
        System.setIn(new java.io.FileInputStream("test.txt"));

        java.io.Console console = System.console();
        // Sensitive. All the following calls should be reviewed as they use the standard input.
        console.reader();
        console.readLine();
        console.readLine(fmt, args);
        console.readPassword();
        console.readPassword(fmt, args);
    }
}
</pre>
<h2>Exceptions</h2>
<p>All references to <code>System.in</code> will create issues except direct calls to <code>System.in.close()</code>.</p>
<p>Command line parsing libraries such as JCommander often read standard input when asked for passwords. However this rule doesn't raise any issue in
this case as another hotspot rule covers command line arguments.</p>
<h2>See:</h2>
<ul>
  <li> <a href="https://cwe.mitre.org/data/definitions/20.html">MITRE, CWE-20</a> - Improper Input Validation </li>
</ul>
<h2>Deprecated</h2>
<p>This rule is deprecated, and will eventually be removed.</p>

